The revealing nature of used hard drives

Identity thieves are gleaning large amounts of personal and corporate information from scrapped computers

By Peter Warren / THE GUARDIAN , LONDON

Bill Kerridge is a pub owner who runs an award-winning pub in North Shields, northern England, and whose daughter is a talented gymnast.

Normally, Kerridge would be happy for the readers of a national newspaper to know those details, but this time he was not, because along with a wealth of other information relating to his family, the data was recovered from a computer hard drive bought over the Internet via eBay that the Kerridges knew nothing about.

The news that such personal information about his family holidays, his eldest daughter's training regime and details of his business had been recovered as part of an investigation by British Telecom (BT), data destruction specialists Life Cycle Services and researchers at Glamorgan University has shocked Kerridge.

Richard Martin, 53, was another individual who felt the same way. A hard drive from a personal computer that he had thought he had disposed of properly yielded highly personal letters relating to his financial affairs, including details of bank accounts and insurance claims.

Information of this kind is potential gold for the UK's fastest growing crime trend: identity theft.

"I think that this is shocking, that there is information like this going around about my family," Kerridge said.

"Basically I think that there should be a lot more information made available to people on how to destroy the data on their computers. I wouldn't know the first thing about how you would go about destroying this data," he said.

Martin had given his computer to the information-technology (IT) department of Man Trucks, the company he was working for, and asked them to destroy it. Both Kerridge and Martin are fairly typical of the bulk of the UK population who see the value of new technology in the computer rather than the data it is able to process, obtain and retain.

This is a potentially fatal error given the close relationship that now exists between computers and ourselves, as Kerridge's case has proved.

As the university's forensic team conducted the research, it peeled back the layers on the disk. Web searches, phone numbers of employees, e-mail conversations and details of their daughter's boyfriends -- all spilled onto the university computers.

There was enough data for a would-be identity thief to garner more information by ringing up those people identified and "socially engineer" more relevant details.

In the case of Rob Morris, a 38-year-old IT worker from Swindon in southwest England, it could have been even more damaging. Details of his mobile phone account were found on a disk that had been disposed of by Vodafone -- which bought the company he worked for, Cellular Operations, in 2003.

According to Morris, Cellular Operations also held crucial personal details such as his date of birth and credit card records on the discarded disk.

"When Cellular Operations was taken over by Vodafone they were only interested in the subscriber base -- they got rid of the buildings, the computers and the people," he said.

"It's a bit worrying that a company like Vodafone has not disposed of it properly," Morris said.

It is also potentially illegal and could lay Vodafone open to prosecution by anyone who finds that poor safeguards on their personal data have led to losses from ID thieves or hackers -- a risk highlighted by UK Information Commissioner Richard Thomas in his annual report in May this year.